[Rpm-maint] next question: can rpm fail (instead of warn) on a bad signature?
Paul Nasrat
pnasrat at redhat.com
Fri Dec 15 09:56:11 UTC 2006
On Fri, 2006-12-15 at 09:48 +0000, Paul Nasrat wrote:
> On Fri, 2006-12-15 at 01:45 -0800, Shandy Brown wrote:
> > > NOT OK will only occur if the file is corrupted - if it is an intact rpm
> > > but unsigned it still has a header digest and a header+payload digest to
> > > verify it's untampered with. Thus rpm -K tells you this is the rpm
> > > built and intact and the payload and headers are consistent with the
> > > digests.
> >
> > Is there some other method to detect that an rpm file is not signed?
> >
> > Other than installing it and checking with rpm -qi.
>
> You can do it programatically, with --queryformat or use something like
> yum with gpgcheck=1.
The traditional queryformat string used is:
rpm --qf '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|' \
-qp foo.rpm
If that returns (none) then it's unsigned.
Using rpmUtils module from yum:
import rpmUtils
import rpmUtils.miscutils
t = rpmUtils.transaction.TransactionWrapper()
h = rpmUtils.miscutils.hdrFromPackage(t,
"sylpheed-claws-2.5.6-1.fc6.x86_64.rpm")
rpmUtils.miscutils.getSigInfo(h)
For pure rpm-python look at how getSigInfo works
Paul
More information about the Rpm-maint
mailing list